Over 150 photojournalists, filmmakers and media professionals have signed an open letter addressed to major camera manufacturers, asking them to add encryption to their products. While many of the storage devices and computers photographers use to store files offer encryption, the cameras themselves do not.

The letter points out that when a photojournalist's camera or memory card is stolen or confiscated, which happens regularly, their footage and images are left exposed and vulnerable, potentially putting the photographer and their sources in real danger. Encryption is commonplace in smartphones, messaging apps and many operating systems, but not in image capture devices or memory cards.

The letter is addressed to Canon, but the Freedom of the Press Foundation says they've sent similar copies to Nikon, Fujifilm, Sony and Olympus. You can see the body of the letter below; head to Freedom of the Press Foundation's website to see the full list of signees.

Dear Canon,

We, the undersigned documentary filmmakers and photojournalists, are writing to urge your company to build encryption features into your still photo and video camera products. These features, which are currently missing from all commercial cameras on the market, are needed to protect our safety and security, as well as that of our sources and subjects worldwide.

Without encryption capabilities, photographs and footage that we take can be examined and searched by the police, military, and border agents in countries where we operate and travel, and the consequences can be dire.

We work in some of the most dangerous parts of the world, often attempting to uncover wrongdoing in the interests of justice. On countless occasions, filmmakers and photojournalists have seen their footage seized by authoritarian governments or criminals all over the world. Because the contents of their cameras are not and cannot be encrypted, there is no way to protect any of the footage once it has been taken. This puts ourselves, our sources, and our work at risk.

Many technology companies have in recent years embraced encryption technology, often including it in their products and enabling it by default. Indeed, encryption has, in some sectors, become an industry-best practice. Apple’s iPhones encrypt all data stored on them by default, as do many phones running Google’s Android operating system; text messages and voice calls made with WhatsApp, iMessage, FaceTime, and Signal are all protected using end-to-end encryption technology; and laptops and desktop computers running modern versions of Microsoft Windows and macOS encrypt all data stored by default too.

However, we face a critical gap between the moment we shoot our footage and the first opportunity to get that footage onto more secure devices.

As filmmakers and photojournalists who value our own safety and the safety of our sources and subjects, we would seek out and buy cameras that come with built-in encryption. Adding these data security features to your product line would give your company a significant competitive advantage over other camera manufacturers, none of whom currently offer this feature.

Beyond the commercial motivation for adding encryption features, we know your company has commendably committed to corporate social responsibility. Building encryption into your products is not just about helping the filmmakers and photojournalists who buy them, but about making the world a better place. As filmmakers and photojournalists, we use our lenses to hold powerful people to account — and ultimately to change society for the better. Encryption features will allow us to continue to tell the most important stories, from some of the most dangerous places in the world.

You can help us reach that goal by starting to work towards building encryption into your camera products.

Thank you for your consideration.

Signed,

Over 150 Filmmakers, Photographers, and Media Workers Around the World

And there are technical difficulties too. Look at the common hardware encrypted portable hard drive. These devices I refuse to buy because each disc is tied irrevocably to a chip embedded in its enclosure. Therefore Ladies and Gentlemen (of the press etc) IF the enclosure fails you lose everything, and IF you remove the disc from the enclosure you ALSO lose everything because putting that disc in another enclosure or a laptop etc makes it unreadable without the chip stuck in the enclosure you left behind. Now, if we substitute the camera for the enclosure, and the card for the disc, you may perceive a simhilarity..

I don't see why the encryption must be tied to a particular chip. Though there is possibly a challenge in being able to decrypt the data in a fast and practical way to be able to use the camera (fingerprint reader?).

And if you lose or forget your keys, you lose ALL that work, making the entire trip worthless. Use Film instead: when everyone did there was NO protection for subjects or sources or "creators" anyway. I would suggest (humbly) that if the risk is considered that bad, you should not be there anyway: there are always plenty of local mobile sources. Also the wise will consider that under torture they would give away their "keys", but it being likely the pain would cause such memory loss, the chances are that you could die due to your faulty memory.

No, what we need more is a means of ensuring material can be encrypted and sent safely online without Microsoft or Apple or Google or Facebook etc grabbing it and selling it elsewhere-MUCH more important. This move by a few journos is just narcissism.

lol, and if your hard drive dies you lose ALL the digital photos you EVER took! Except of course if you had half a brain enough to make a backup....

There are plenty of different means already available for sending encrypted data online. I can't see how that's a great help to the photographer in the field with uncertain connectivity (let alone bandwidth) facing the challenges mentioned in the letter.

I can't believe all of these comments saying that they will just torture you for the keys anyway. It's pathetic how many people are already bending over and spreading their cheeks in anticipation of the government telling them to. It seems as though this weak county has already accepted authoritarianism before out is even upon us.

fastest decryptor is shotgun aimed to your head, or to people you care about. On one hand encryption may buy you time on another - it may lead to immediate execution with destruction of all your gear.

If you work in hot locations, document war crimes you are interested in GPS tagged photos to proof location and time of some events. In this case digital signature is needed to sign/verify authenticity of metadata. However I cannot see reliable ways to protect hardware from private key stealing. It would be just a matter of time.

Better way is immediate beaming of shot data back to "base". This method relies on stable and fast internet connection ant this may not be what you have on the field.

"However I cannot see reliable ways to protect hardware from private key stealing."

But the private key would never be anywhere near the equipment taken to these "hot locations". Naturally, bad people could detain you indefinitely until someone brings the private key from wherever it actually is, but then this kind of "leverage" appears to be routine from reading what happens to journalists going to various places in the news.

Sure, there is the matter of plausible deniability: that the accessible pictures of fluffy bunnies, cuddly puppies and cute kittens are really the ones you took on your assignment, as opposed to the encrypted ones that lurk in amongst them, obscured by various techniques that try not to give any indication of their existence (even to the camera that might be confused by such extra data or be destructively oblivious to it).

I don't know how resistant such techniques are to scrutiny, however. And for people convinced of your wrongdoing, denial only gets you so far, anyway.

No system is likely to be perfectly infallible in all possible scenarios. However, this in no way diminishes the value in seeking to improve the odds in some situations at least. If this garners any interest from the manufacturers, then we are likely to see a range of different implementations and iterations. Photojournalists will then at least have some more options open to them, and can decide for themselves what the best approach is in any given circumstance.

Marantz, Japanese maker of audio equipment, have been building encryption into their audio recorders for years to enable them for courthouse use. The price for the updated version did not change when they first came up with it. See http://marantzpro.com/products/view/pmd661mkii

Your first point is only regarding particular implementations. It is not necessary for the concept in general.Your second point I cannot understand. Why does an encryption have to be personally identifiable?

The US and UK security services have developed and do employ enhanced interrogation methods. These can be used as an incentive for the photographer to co-operate in decrypting the data of interest, when so requested.

The US president elect has clearly stated that he supports the use of such methods. The British prime minister is also not known for being a fierce opponent of such methods.

Encryption only helps if those who want to get their hands on the encrypted data cannot get their hands on the person who knows the password.

Depends passwords are not the only way to encrypt. For instance you could put the key on a thumb drive that you leave at home or with your agency in your home country when you work in conflict zones. It would not be practical for your workflow though but in some cases that might be worth it (if your agency has the key you can still send them the data encrypted so you don't lose time)

How about using an app to upload them immediately via wireless to smartphone and then deleting them from the card. On the smartphone they will be encrypted, and there will be nothing left on the card for prying eyes to see.

I think there some possible issues with in-camera-encryption, like the camera itself would have to be able to decrypt the photos (in order for you to see them in the review screen, for example), which means that either the camera will also have to be equipped with the requirement to enter some sort of code when it's powered up (which can be annoying), or have some sort of biometric scanning ability (which means new hardware required), and then there's the issue of if you have more than one photographer who needs to use said camera...

Getting them off the camera and into encrypted storage ASAP, hence my first suggestion. And by "delete", I mean a proper scrub of the data, so undeleting the pictures on the card via one of those image recovery apps won't work.

That's easy. They can implement a dual password system so that when "A' password is used, all photos taken are decrypted and shown. When 'B' password is used, an alternative sets of photos (e.g. cute cats and dogs) are shown instead. Problem solved.

Here's an idea. The encryption doesn't scramble photos, it just turns them into cute cat pictures! That way when the Gestapo, er Homeland Security, border security, [insert oppressive government jerks] security ask to see what's on your camera, they say, "Aw, cute!" rather than, "Come with me."

Reminds me of some applications I used years ago. There was a "boss" button that would instantly show a screen with an Excel spreadsheet or something.

Best way to implement a gestapo feature is to allow the photographer to keep a harmless set of photos on the camera. Input the real password and you get the real photos. Input the gestapo password and you get whatever fake pics the photographer wants them to see. If the same cat pics show up on every camera, the trick might get discovered :)

This may be a naïve question, but if some border agent in some third world country has stopped you and is wanting to see your photos due to some suspicions he may have, isn't he going to demand that you turn off the encryption so that he may gain access to those photos? If you refuse, aren't you putting yourself in as much dangers as if you might by letting him view the photos, maybe even more? Also, if you have photographed someone or something that might be illegal in that particular country, haven't you yourself put yourself in such danger? Seems to me that what is being asked here is like asking for someone to come up with some kind of protective case that would hide illegal drugs being smuggled out of a country.I'd think that by far most camera thefts are done by those interested in reselling your $5000 camera on a street corner for 50 bucks. I doubt someone doing that would give a crap about what's on your memory cards.

You're assuming the photographer has the ability to decrypt her own photos using her camera. A good encryption scheme shouldn't even allow this to be possible, thus there is no reason to torture/hold captive the photographer.

Hey Jay, what i'm saying is that if they do it right, it will be impossible for you to show anyone the photos on your camera's LCD after they've been encrypted. Even YOU cannot see them unless you are also carrying a laptop with the private key to decrypt the photos (which you shouldn't be).

No, I understand you perfectly. What I am implying is that if they suspect you, they may want to hold you and/or your memory cards until you ARE able to show them what's on the cards.Imagine photographing in an area where a major political event such as an assassination takes place. You are seen with a camera by authorities. You may or may not even have been photographing what happened. The authorities approach you and demand to see the photos. You're going to tell them you can't show them your photos? You're saying the photographer has no choice. I'd AT LEAST like to have the choice. Wouldn't you?

By the way, I think you are assuming that authorities everywhere act and react the way they do in the free world..."If the photog doesn't have the "password" to decrypt their photos, then there's no reason to torture them, is there?"Yeah? Tell that to an isis operative who is demanding to see your photos.

Hey Jay, I'm not assuming they would act as they do in the free world. Rather, this puts the choice squarely in the photojournalists hands BEFORE they are held against their will. They will choose - if I use this encryption, there is nothing I can do while under duress that will alleviate my situation.

If you have the choice while being held against your will, of course you will choose to give up your photos/secrets/whatever it takes. I think the photojournalists want to remove this choice.

I for one am humbled and feel very lucky there are people in this world to do what photojournalists do, and what they are asking for.

If the photog doesn't have the "password" to decrypt their photos, then there's no reason to torture them, is there?

Here's a simple solution: public/private key pair - the photog's "home base" (assumingly secure) has the private key. The camera contains the public key and is used to encrypt the photos. Photos are encrypted after a set interval after shooting (1 second, 1minute, ....adjustable in camera) so that the photog can review images and delete rejects. There is also a new encryption button that will force the camera to encrypt all photos immediately.

Using this there's no reason to torture the photographer for some password.

if I were someone in the position of asking for the photos, and they were locked, then i would just take the memory card at the very least. what good are encrypted files if you are unable to... read? that's if the camera doesn't suffer a "tragic accident" when my enthusiastic colleague doesn't know exactly where pictures are stored.

That's how most of the secure encryption has worked for last 20 years. Even most modern unbreakable cryptocurrencies work on the public and private key pair model. The hard part will be getting hardware with fast enough throughput.

From a computer security standpoint, this is sound. If it was in widespread use, then governments and their checkpoints would be less menacing (although they could hold the photographer and demand their employer decrypt the data as a condition of release). The problem is implementation. Doing it correctly is, as my CS professor would say, "non-trivial". You can't just snap your fingers and have a button appear as well as all the necessary infrastructure for secure key exchange.

Would the implementation be "hands off" for the manufacturers? In other words, could Reuters set up a secure key exchange infrastructure on their own, or would it all have to run through Canon/Nikon/Sony/Olympus/et al? Conceptually this is a simple idea (which is almost always good for security), but implementing it in the real world will be complex. Not impossible, but certainly "non-trivial".

@MediaArchivist, i agree with you on some points. It's definitely not trivial, but I d on't think there has to be a organization-wide secure key exchange. Just plug the camera into the computer, have it generate the keys and copy the public key to the camera, and you're done.

Now, if you need to be issued a new public key while in the field, then that's another story, and it might require what you mention.

Yeah there are plenty of alternatives to that, you could make it tied to a specific hardware, or even be geo-locked, double authentication, remote authentication, single password is just one of many methods of verification

my point was that the hardware can be destroyed so why bother trying to recover the images if you have enough suspicion?

also... protecting sources against oppressive governments... well, if they're that bad, i hope the "sources" can protect themselves from the journalists in the first place. it's safer not to trust people that get to go home in a free country to a comfortable life while you get to stay behind and live with the oppression.

What a load of idiotic crap. Clearly those writing on here have never been in a situation where someone extremely ugly, menacing and heavily armed orders you to hand over your equipment. Do you really want to accept the consequences of protecting a few images on a memory card? Speaking from personal experience, I promise you there are situations where you do exactly as you are told and you will give up whatever you are asked for.

I would rather guess that the organisation involved (Freedom of the Press Foundation) here does know what professional Photojournalists may need and how their real world looks like - alongside the 150 who signed this.

You don't necessarily need to have the *decryption* key with you, only the encryption key. And if this is a standardized and widely implemented optional feature, the adversary might actually believe that you don't have the decryption key as well.

You clearly don't understand the reasons. And you clearly don't understand this would be an option to turn on. So it will only be something someone who needs it will ever even bother with. Just because you don't need it doesn't mean nobody does.

As a photojournalist, I have to say this is a great idea, and I hope the manufacturers realize how this could make them get a big bump in sales if they're the first ones to have a viable system.

Well, if you don't NEED it, you don't need it. So do not turn it on. Pretty simple really.

You sound like the anti video crowd who want manufacturers to stop putting video in still cameras. If you don't want/need it, then don't use it. But many people will want/need it, so for them it is good. For the rest, just don't use it.

Fingerprint sensor plus supported memory card that allows on the fly encryption without a penalty.I also love the idea to make cameras unusable for thiefs. Let's also lock expensive lenses to specific bodies with the same credentials.

On the fly encryption would have to be done in-camera with dedicated chips for no write penalty. The fingerprint sensor is a great idea but considering the photographer could face torture, intimidation, incarceration, et al. coercion, a panic button that would dump the master key should be a consideration. The downside is that laws are in place in probably many nation states that would make this a punishable crime as well.

It could work pretty easily. Something along the line of synching your camera with say your laptop and another which could be backup. You put your camera near your laptop and it creates a paired device with a secure tag that is written to your sd card. If you take photos and pull the card out and put it into any other device, it won't be read. It can only be read from the paired device. Just because you can't figure out how this would work, doesn't mean it's a bad idea...jeez

Dear 150 Filmmakers, Photographers, and Media Workers Around the World,

Believe me - you will gladly give away the password protecting your gear facing the barrel of a gun or after getting beaten up badly. Or after getting drugged. Not to mention just how easy it is to get a device unlocked that is protected by fingerprints (say goodbye to your thumbs). It just protects you in case of camera theft or loss.

That being said - I admire the courage of some of you. You must have balls made of steel!

I thought about it. But then - the bloody regimes/gangs/crimelords/etc knowing that this feature is supported by the particular camera type might suspect something, don't you think? So while it might save a pedophile from being prosecuted in a country of law, it will not necessarily help the photojournalist if she/he is caught.

Just like HTTPS helps pedophiles but in some countries doesn't help the people that really need encryption for legitimate reasons. Should the browsers stop supporting HTTPS?

I guess it would be left to the person in question to judge what would be best in the specific situation. Give the key that unlocks the truly sensitive files or try to give a fake key.But sure it still wouldn't work for everyone every time. Nothing will. But if it helps sometimes with the issues pointed by the journalists maybe it's something worth to be considered.

I was just pointing out that what they are asking for is not going to solve their problems. What you propose is, in the realms of current photo technology, next to impossible. And even when implemented correctly, it still wouldn't help to solve the problem in most of the scenarios that come to mind.And no - https does not help pedophiles. And no - I'm not asking anyone to remove any features from any product. Nor am I saying that encryption as such shouldn't be implemented. But it just does not solve the problem presented.

I will not enter an argument on whether existing encryption protocols help criminals.Again, I agree that the proposed change will not work all the time.But the fact that it will sometimes, like when the camera is snatched when least expected, is enough to consider it. It can have advantages and I see no disadvantages if it's optional.I honestly don't understand why there's so much resistance and negativity around here to a simple optional change that would have positive aspects.

If it's encrypted in a way that the photojournalist has access to the pictures while in the field, then I agree that the design is susceptible to rubber-hose cryptanalysis. In some cases, even this isn't really an issue, depending on exactly where you are and exactly how far they're willing to go to harass an American journalist. Taking their camera and perusing the pics is one thing, torture is something completely different.

If it's encrypted using public key cryptography in a way that the photojournalist is completely incapable of decrypting the files until they return home, then she wouldn't have the option of giving them the key. You're right that this limits the options of the journalist, but it limits the options of their captors as well. Odds are they take the camera and lock her up for a while to show that they're serious. If they're going to torture her even know they know they can't get the pictures, what makes you think getting the pictures would have stopped them?

Asking this is like asking "don't let us view and edit our own raw/jpeg files". Do they really want that? (note that being only accessible in your laptop is not secure at all. If that government can seize your cam, surely will seize your laptop too. Especially when they figure out how this securing process works).I guess what they truly want is an option of terminating the evidence, without losing data. Well in that case, encryption is not the solution. Instant upload to news agency servers is. But the problem with that is in most of dangerous-for-PJs areas of the world, internet accessibility is controlled by government, which can easily block your agency ip address or close ports the uploading needs.

That's not how encyption works. You can encrypt the file and still have it viewable. The most logical method would be to make the card encypted and upon insertion into the camera it would ask you a password in order to be able to view and write onto it. It's the same thing with laptops, if you own Windows 10 Pro or Windows 8 Pro you can enable Bitlocker and automatic file encyption. Upon startup your PC will ask for a password, no password means you can't view the files, even if you remove the hard drive and insert it into something else.

So basically, you can have encyption turned on by default, with password (or other methord of authetication) upon insertion. Got held up by security? Pull the card out, done.

But more often a camera would be seized out of someone's hands while they are shooting. Then the person could delete incriminating evidence. How about soft deletion that intentionally preserves the underlying data and those storage bits can't be released to be re-used without deletion using a password.

It's impossible to say what is good enough without understanding the threat. If the threat is somebody swiping your camera, then simple password protection is probably sufficient. In this case, it's perfectly fine if you are able to decrypt them on your laptop, so long as your laptop is also encrypted.

I'm guessing that you're picturing something a bit more dangerous, where they try to force you to give them your password. In that case, only accessible on your laptop is STILL plenty secure if your laptop is safe back in Iowa while your camera and you are in Unsafe-istan doing field work. Yes, in this case you are unable to access your files while in the field.

If your threat scenario is the NSA who (hypothetically) have a working quantum computer and unlimited financial resources, decryptable on your laptop is nowhere near secure enough. Then again, it would probably be cheaper for them just to hire someone to follow you around.

My idea of years ago of including a proximity sensor in a separate device such as...say...a rectal dongle to be used. When the camera and user separate more than six feet the camera shuts off. I think the idea is great but some say it's too.... cheeky.

More seriously and practically, incorporate a bluetooth app that when disconnected from the camera, the owner cdecides will shut off the camera via smartphone. As long as the connection is maintained the user has control. Surprised it hasn't come up sooner...

Good in theory, horrible in use. Besides the overhead of encryption and its negative impact on burst modes, do you want to have to input a pin number to "unlock" your camera everytime you want to take a picture? Or would you be fine with only having to enter a pin when you want to review a taken picture?

Not to mention the negative impact on workflow. Who wants to run all their pictures through a weakly supported program, made by their camera manufacturer, to "decrypt" their images before opening them in pshop?

What does a 5 digit code have to do with anything? As several others pointed out, the right way to implement this is with public key cryptography, where they encryption key and decryption key are stored separately.

Nevertheless, you don't need a touch screen to enter 5 digits into a camera.

Why do you need a method of "unlocking" a locked device...? Here's a better question, why would you want an encrypted device that automatically decrypts content whenever any person turns it on? Or do you just not want to review images on the camera?

So you guys want to click through with a single button or a dial to input a keycode everytime you turn on your camera? That would be a horrible interface.

Not 90% of the time, but I think a photojournalist traveling in regions where the law does not protect their rights might want an option to activate a high security password protected mode.

Realistically I imagine any manufacturer implementing a passphrase and encryption feature might do it first on a model targeted to photojournalists and put a touchscreen on it. And while the industry isn't fully there yet, some manufacturers are already 100% touchscreen, and for the others, it does seem like a lot of recent models have been getting touchscreens. So this objection has a half-life of maybe 5 more years at best. Unless you're a Fuji photojournalist :)

the question is not whether we can, but whether we should. on DSLRs, which have low power consumption, you could implement encryption probably... even though people complain about overheating even now, imagine the processing overhead needed to encrypt data in real time. not to mention how it would affect burst mode. on anything with live view and battery ratings of under 400/charge i would hope this is an optional feature disabled by default. just for the general public that doesn't actually need it, such as myself.

also, if the additional costs are significant maybe this should be a paid software add-on, or if it's an entirely hardware-based solution it should be a different camera model.

it's just like built-in wi-fi and GPS: it's all fun and games until your battery dies just when you need it the most, or it bumps up the price of the camera by too much.

afterthought: this may never be implemented, or at least not properly. think about all of the big governments around the world that require large companies to implement back doors to allow them to spy on the users. now ask yourselves: would Canon, for example, be able to sell an encryption-enabled camera in those countries, if it violated the local government's policy? how about manufacture the camera in China, who will no doubt require access, if not outright forbid encryption. Look at what Google and Facebook do to gain access to certain markets. Facebook bows down to EU (especially Germany) demands to police "hate speech" and work with local authorities. Would Canon implement poor encryption and still be able to sell in China, Iran, USA (think about the NSA's requests to large software companies), or just produce the encrypted model for Japan only? would that model be legal to own in the aforementioned regions if it existed? maybe it would be locked so tight, it couldn't be exported

AES needs no intense Computation Power, this was one of the rules of the commitee. I guess a cam which can write 4k has more than enough power to encode some strong cypher... every lousy WiFi-Router implements AES.

routers are not battery-powered, and unless it's a very bad case design, overheating is not an issue. also, the CPU in a camera is probably specifically created to encode photo and video, while a router's CPU is designed for networking tasks. implementing hardware encryption would require additional circuitry in the camera CPU. even if it uses low power, it's still additional power.

my smartphone has more power than my router probably (i haven't looked it up). that being said, my router can also handle an openvpn server with AES-128 encryption, but i have enough bandwidth to see it cap the tunnel at about 50 Mb/s, all while running quite warm (due to poor case design). this is on a 1 GHz dual core ARM CPU. pretty much all routers i've had ran warmer than any camera i've put my hands on. and you don't want the camera's sensor to get warmer than it already does. so that's why i'm saying that even if it's relatively low computational power for AES, it's still additional power and heat and CPU die size.

i'm not holding my breath for this one. then again, the iphone was a success despite my expectations, so...

Heating up the sensor because of AES? The sensor is no CPU, he has nothing to do with. Believe me, AES is not very hard to crypt for modern architectures... Canon or Nikon could even include a dedicated chip for it. And I really want to know what went up with "don't heat up the sensor" since the mirrorless went to market... they use the sensor all the time just to give the user an EVF. A few years back a quite common opinion was that even a longer exposure can give more noise...

The only safe practise would be to upload the pictures through an encrypted link to somewhere physically out of reach, and to remove it from the recording device.

OR some slightly less safe variant that needs less bandwidth: An advanced version where the files are encrypted with a system generated key (UNKNOWN to the photographer), that are sent out of reach, so the files can not be unlocked before the photographer gets back home.

As several points out, a key known to the photographer could well lead to threats/torture to reveal the password, thus just escalating things...

ADD: A little more on the second idea. Imaging some small server-box with a GPS that receives the keys through the internet, but ONLY unlocks the keys when the box and the camera are physically close - say simple NFC. and only unlock at the position it got the keys. This way anyone really wanting the pictures would have to know that place and to go there with the camera and break in.

@zkz5 except one tiny detail: That principle uses a common fixed key to encode all images on the camera, thus making the life of the attacker easier.

If this should be safe the camera should use the public part of a POOL of pre-generated public/private key pairs, these might even be deleted of the camera as the pictures are encoded. Each key could be used for multiple images, but should not be used for all.

You have to keep wondering why on the software front camera manufacturers keeping lagging behind so much ... There are tons of interesting ideas for firmwares, from a very simple 'Longer than 30 sec. selectable exposure' that took them over a decade to implement, to in-camera RAW histograms (rather than JPEG), and as these are not exactly great feats of programming you'd think they'd come up with this stuff on their own to stand out, but no. You'd think companies like Canon would introduce encryption to please their massive journalistic user base, but apparently no one there is creative enough to come up with something beyond 'more AF points' and 'make that screen tilt'.

Nikon had a noticeable exception with their ingenious automatic AF adjustment.

I think they are talking to the right people. Read the link i posted below. To make a self encrypted SD card, it has to have it's own controller to actively encrypt/decode the data and a protocol for communicating to the operating systems that writes files on it. Each camera manufacturer has it;s own custom (and closed) operating system, so making a SD that would work on all those it's pretty much impossible.Doing it in camera, on the other hand, is just very simple.

No, it's the makers of the operating system/firmware that need to support it, therefore camera manufacturers. Even if memory card manufacturers were to encrypt all the data on the memory card, how would the user interact with it (for example to enter/change a password) if the camera operating system/firmware doesn't support it?

This is something that should have been standard a long, long time ago. Not just for journalists and professionals, but for example imagine a couple on holiday who have 'personal' photos amongst their holiday photos and their camera get's stolen. Those photos will inevitably end up across the internet pretty quickly and completely outside of their control. This can't come soon enough.

Google announced an encrypted memory card a while ago, but i don't think it ended up in a product yet. Anyway, it was compatible with the common operating systems, but not cameras (unless they use android).

FWIW, here's a link with detailed information on adding encryption to samsung NX300 via custom firmware. I have also tested encryption on NX500 by using openssl implementation and speeds range from 20 to 60MB/s depending on the algorithm and key size.https://sites.google.com/site/nxcryptophotography/

Undoubtably there are some genuine concerns for the safety of persons such as photojournalists who need to protect sensitive images. However one should consider the negative impact it can have which can include a significant price increase in camera models for average photographer or professional who has no need to encrypt their images via camera. Instead I would urge such persons/journalists to take the necessary measures to download and encrypt their sensitive data using the tools already available. To make such a request from camera manufacturers is in my opinion reflects an unwillingness to take full responsibility for securing their own data. What we need to understand here is any act to protect our privacy or that of the persons we work with cannot be dependent on any one piece of hardware or software but rather by engaging in sound practices ourselves and simple common sense.

Why would this mean a significant price increase in the camera? The feature can be implemented entirely in firmware running on the existing camera hardware. The poster right after you pointed out that it has been implemented after the fact in the Samsung NX300 & 500.

It's a cheap and easy feature to implement, many smartphones already have this. And if you take time to read their letter, you might understand the reasons, rather than jumping into calling some 150 top photojournalists "unwilling to take full responsibility".

Think of a simple case: a journalist takes some interview of a guy (and promises him full anonymity). Just as they leave, they get their camera stolen or confiscated, by someone suspecting what they are doing, and thus they can't do anything about the data on the card. Encryption on the device itself would have save to keep secret the identity of the interviewed person and the information revealed. No time to run encryption via some other system.

"Just saying", but not really reading.Try this bit again:"On countless occasions, filmmakers and photojournalists have seen their footage seized by authoritarian governments or criminals all over the world. Because the contents of their cameras are not and cannot be encrypted, there is no way to protect any of the footage once it has been taken."

I have an app that uses an automatic timeout of a password and you can set it to every 5 min to every 6 hours. As an anti-theft device, that's very unintrusive but would be quite effective. Wouldn't work as well to protect content, though, since photographers want to review photos as they go.

Somehow, I would not trust camera manufacturer's encryption solution given the somewhat pathetic software they usually ship with the cameras and state (or total lack of ) "digital age" features such as wifi, etc.

Any implementation of encryption will be based on the current standards like AES.... they're not going to reinvent the wheel so I can't really see how they'll mess it up. 256bit AES is extremely difficult to brute force crack and is considered unbreakable due to the time and resources it would take exhaust the key space. It's also very resource light when actually encrypting, the current cameras will probably take a performance hit with a firmware upgrade... But newer cameras will only need a slightly better CPU or better still an ASIC or FPGA to offload it.

yes, but the "performance hit" would not be a real problem, since the encryption could be turned on/off, and for sensitive information when you want encryption, filming in 720p with encryption instead of 4k would not be an issue :)

It is my understanding that AES is just the algorithm used. How you implement it is an entirely different question. You could do it a smart way, something like public key cryptography with the private key being kept in the office of the film maker in the home country, or you could do it a myriad of other ways that would make it incredibly simple to bypass encryption and would be published online within of week of the camera's release.

Let's be honest here and also point to the fact that photographers are not very tech-savvyy and would probably mess up even given a good solution. Weak passwords, keeping private keys with them to review the photos on-the-go, etc. It strikes me that a G.I.-proof solution of a dedicated device that you insert your SD cards in to flash images on a dedicated drive with a physical key that the user is expressly told to keep in a safe would be an easier and more universal solution.

What we need is encryption built into memory cards. Heck, if they can put wifi in them little things, they can be self-encrypting. Don't make us pay for a few sloppy journalists who can't keep track of a 50 kg bag of DSLR junk.

If my camera was stolen, I wouldn't care about the inages from the jobs I use it for being viewed or used or deleted too much, except if the card contained images of the people I sometimes shoot.

I also use it to photograph my very young (baby) daughter, sometimes in the bath and I wouldn't want anyone to have access to those images ever, so, whilst I've never thought of it before, encryption would be a point of difference I'd consider when buying my next camera.

I think the first manufacturer to implement it would have many customers looking their way.

Ever heard about people buying Apple iPads, phones second-hand, then finding out the thing is locked and can't be unlocked except with the permission of the original owner? Do people really want cameras showing up on Ebay and in stores like this?

iPhone lockup is a anti-theft measure. What's discussed here is encryption. An encryption won't forbid you to continue use the camera, it simply won't allow you to view the data stored on storage(CF, SD) without correct pass code.

I think the big problem with this is that good encryption isn't computationally cheap enough for the relatively slow ARM32 processors used in most cameras. Using CHDK, ML, or OpenMemories, one could probably put code into a camera to do this, but it would almost certainly be as a slow in-camera postprocessing step. It would be pretty hard to convince companies to add encryption hardware....

Actually, a lot of Flash memory cards also have ARM32 cores that could be programmed to do it... but then the camera probably wouldn't be able to review the files once written.

The capability of ARM processors shouldn't be the concern. There are more powerful ARM SoC designs available, should a camera company choose to utilize them.

I agree that the problem is: "So, this image is encrypted... should we let the camera read it afterwards?" Doing so would basically mean the keys to reading the files remain on that particular camera, and if someone has access to that camera, they have access to the files. But if the media is not reviewable on a camera, then some other data has to be provided via a common application or piece of hardware to decrypt the photos so they're readable again. Apps and hardware can be hacked, which means any encryption is basically a deterrence, at best.

"Apps and hardware can be hacked, which means any encryption is basically a deterrence, at best."

I'm actually talking about hacking in to implement encryption. ;-)

Anyway, hackability shouldn't compromise a good encryption scheme -- it's generally assumed that attackers would know the encryption algorithm. The catch is that the 1st commenter, Timbukto, was very right in pointing out https://xkcd.com/538/ -- the attacker can just torture the photographer until the decryption key is revealed.

What you'd really want is a public key system where the camera could encrypt images so that ONCE ENCODED they could ONLY BE DECODED BY A PARTICULAR SEPARATE COMPUTER, and NOT by the camera that made them. Thus, the photographer and camera literally wouldn't know the key to decrypt by. The taking camera could even broadcast the encrypted data to whatever compatible wifi devices will accept it -- thus allowing secure recovery of the data even if the original copy is destroyed.

"What you'd really want is a public key system where the camera could encrypt images so that ONCE ENCODED they could ONLY BE DECODED BY A PARTICULAR SEPARATE COMPUTER, and NOT by the camera that made them"

Best idea I've read here so far. For any of this to work it has to be well known that an adversary cannot coerce the key out of the photographer.

It's not immediately intuitive to me that you could encrypt a file using the public key where the private key is not involved and yet the private key is needed to decrypt it. Can someone confirm this is how public key encryption actually works and that the private key isn't needed during the encryption phase? If so, almost seems like a perfect solution.

I'm surprised camera data encryption isn't already a thing. We're talking a few KB of data added to each image & minimal processing power on the behalf of the camera to ensure that information remains secure and/or confidential. The media most cameras use - Secure Digital - supports encryption; a SD card's ROM could probably be modified to secure erase after too many password attempts.

With that said, encryption is only as good as its design and implementation. Companies get hacked all the time, and their cipher data could be stolen and distributed. Backdoors are made because some companies willingly hand the keys over to any government who politely asks. Heck, even the few bits of information passed back & forth between camera & the card could leak enough data for a crack. Nothing is foolproof, and encryption might just wind up being a mild inconvenience instead of a huge detriment.

Before anyone cracks wise: This is part of my job. I think about security in practical terms a lot.

SD cards have a locking feature whereby the card will reject all read/write attempts until a password is given. That might be what you were thinking of. The data in that case is not *encrypted*, however - the controller in the card is simply rejecting requests to read it.

Extracting data from card locked in such a manner is probably very difficult but not beyond the ability of a government.

@whyamihere: Public key crypto has been around for decades and is a very robust solution. As long as you keep the private key outside of the camera and implement the system in good faith, the weakest link is, as always, the user.

I agree completely. Some time ago I was poopooed on these forums for suggesting people consider encryption on their computers and phones to ensure the privacy of their personal photos, videos and data.

There are some very good free encryption tools available for computers, but be wary of free smartphone encryption apps. They may not be nearly as secure as they imply. Before committing to one, be sure it does what you 'think' it does.

I use TrueCrypt/VeraCrypt on the PC and EDS (not free) on my android smartphone. EDS can read/write TrueCrypt/VeraCrypt containers. EDS does require root, however.

Encryption for your phone or computer is only as good as your habitual use of either. You're using an Android phone which decrypts your data anytime it's passed through Google's servers (which is often), and most Windows apps do the same. TrueCrypt, VeraCrypt, and EDS are, shall we say, flawed, at best, and are only useful at preventing people from getting data from a device they have physical access to and no known password. If you're freely transmitting unencrypted data across the internet by way of using normal, everyday apps and operating systems, then there's no point.

People really seem to misunderstand what encryption does and does not do, nor how to best implement it. All you seem to be doing is giving yourself a false sense of security on leaky devices with encryption apps that often do more harm than good.

Wow, arn't you the negative Nelly. At no point did I talk about google servers, or windows apps.

Please enlighten me as to why/how TrueCrypt/VeraCrypt/ESD are flawed.

By the way, what we are really talking about here IS preventing people from accessing data to a device they now have access to. Did you read the above article are equipment being confiscated by 'authorities'?

Depends on if you're trying to attain real unbreakable encryption or if you're just trying to put up enough of a barrier that nothing less than a forensic decryption effort will work. For Glenn Greenwald, you probably need true unbreakable encryption. For a photojournalist whose camera gets seized by an unruly officer who doesn't want to be in the news, decent encryption will be enough.

Did you read the WHOLE of the story before you let rip??? The letter to Canon is one identical to those sent to other major camera manufacturers - it's a sample and nothing specifically to do with this company alone. This is not a brand issue, it's a pan industry issue.Your response also shows a simplistic and woeful ignorance of the issues of security for the technologies involved.Suggestion: READ THOROUGHLY, ENGAGE BRAIN, THINK, FACT CHECK probably stop there before you write and save yourself the embarrassment.

Despite all of the flak that smartphone cameras get here on DPReview, especially the iPhone, when you account for Apple's consistent efforts to implement and protect security and encryption on all their devices, it turns out the iPhone is one of the most secure cameras a photographer can possibly use right now.

@naturetech, by trying very hard to trivialize this issue to the tired old joke about selfies, food, and dog photos, you're essentially trying to argue that the iPhone is not used by photojournalists, NGO and relief workers, and not used by activists, citizens, or others photographing world events. You're also arguing that the use of an iPhone to create the cover of last week's Sports Illustrated did not actually happen.

By doing so you are arguing that you do not understand the use of smartphones, or the issues and implications around encryption, and not contributing to any kind of solution.

It's also a matter of time before hackers get to cameras' operating systems, via Wi-Fi, for example, and do some serious damage, or demand a ransom.With the convenience of wireless communications, there is an equal amount of risk.Imagine a scenario where a photo journalist, or a sports photographer at the start of a big event turns the camera on to see a colorful message on the screen from a hacker, and to find that the camera has been locked up.What a nightmare!!!I think that manufacturers need to address this issue with dual verification when it comes to wireless communications.Let's see what some network experts think.

@gorllu, it is not at all far fetched to imagine that "smarter" cameras mean more potential to hack them.

Hackers have already compromised billions of connected devices. And we are not talking about normal computers or smart phones either. Anything running an operating system that allows for connection, storage and program execution is vulnerable. The problem with the first batch of devices in any category is that vulnerabilities are many and open.

Consider that computers have been around for many decades now and we are still susceptible to hacks. computer viruses, malware, ransomware, and the rest.

Anyone keeping up to date with cybercrime will be aware that hackers have already created botnets using compromised CCTV systems to carry out distributed denial of service (DDoS) attacks on websites and other communication systems.

It's real. It's happening now. And if you don't understand it, then go and find out because technology isn't waiting for you ;-)

Lucky the Hackers might be a lot more interested targeting the live broadcast of the event, and with the amount of photographers in every live events, I could say they are totally disposable, at the worst case scenario broadcasters just buys some snapchat footage or something like they do every day

I think it is naive to think that hackers will not target cameras.They have targeted various IoT devices, probably in the millions, in one of their latest attacks. They used them as bots, and crippled a major chunk of the Internet.Another big concern is that cars may soon be a target.Just imagine how valuable the target is if it was a dozen Getty photographers, and then the hackers managed to lock up their cameras at the very start of the super ball, for example.They may not care to go after a lone photographer trying to take a picture of a lighthouse, again, for example.The threat is there, and it is real.

most if not all hackers these days are working towards a payday.the days of exploiting vulnerabilities in OSs and virus programs and such is mostly done with.todays hackers employ social engineering tactics (click here to; ...win a prize...update adobe flash...confirm your bank passwords...etc..) which only works on the "gullible". how does simply "taking over a camera" benefit the financially motivated?

@Paul Auclair, that is only partly true. I agree that social engineering is behind what many news outlets report as "hacking" these days.

However, you have to look at the range of cyber crimes to appreciate that the old notion of hacking individual systems for profit is not the only thing to be concerned about.

The reason that some cyber criminals are interested in the millions of devices that form the so-called "Internet of Things", is that each device is a resource for a larger plan. Huge botnets are created from compromised systems with internet access, including CCTV cameras, to be used in attacks on sites and services.

Apart from serving their own ends, criminals make money from renting out these botnets. They make money from using these to bring down sites to order. The money can come from other criminals, those that gain from sabotage or various intelligence services (as we know from recent events).

thanks for your time.assuming the way a 'hacker' will gain control of a camera is via wifi So...what can I do with a camera when I am connected via wifi?I can change exposure settings, release the shutter, delete recently taken images, and power the device off. I can connect to a printer to print files. I can not do online shopping/banking etc., link with other cameras to create a network, etc..The camera does not have stored login credentials/banking info, does not have keystrokes to log, will not run executable files, and can not link with other cameras to take over the internet.So would a hacker be able to do anything with my camera that I could not?If I am operating a camera and it seems as though someone else has taken control of it what happens if I simply disable the wifi? what incentive does a hacker have to attempt control of a camera...not millions of internet devices...a camera...a simple ordinary camera?

Wifi is another means of connection to the internet. I'm assuming this discussion is about the broader changes in technology that allows cameras to run operating systems with a range of software features.

It's perfectly reasonable to believe that such devices will readily accept applications, plugins and other executables, just like a computer can.

Most people who fall victim to malware, ransomware (where files or a device is encrypted pending a payment to a hacker) randomly. In other words, an attack is not a personal attack. You pick up the virus/malware through interacting with a compromised site. The compromised devices then contacts the hacker.

What does this potentially mean for a camera owner? Possibly your device OS being encrypted, rendering it non-functional. Images shot with the device being transmitted, on connection, to a remote server. Or, hackers gaining access to your wider WiFi network while the camera is connected.

i'm not trying to promote a tinfoil hat conspiracy distrust of the technology. Just pointing out the realities of current technology as it relates to vulnerabilities and the need for caution.

German researchers already discovered (2013) a weakness with a Canon DSLR camera that allowed a hacker to steal photos, upload files to the camera as well as use it for spying.

A quote from the report:"the researchers were able to exploit 1D X thought four different ways. The common aspect of all these ways was the 1D X communication with a wireless network. (While the 1D X has no built-in WiFi, it’s compatible with Canon’s Wireless Transmitter WFT-E6A dongle, which attaches to a side port on the DSLR.)".

It goes on to point out that any such setup, not necessarily Canon, was easily hacked.

As I mentioned earlier, many of these wireless features arrive in new devices without the precautionary measures taken for standard routers or computer systems.

I agree.Now imagine that they would lock up all Getty's camera at the start of World Cup, or the Olympics, and demand immediate pay to unlock them.What do you think Getty would do?That's quite a window for big money. And there are lots of other photo and video agencies at such events.Any device with any sort of wireless feature needs to have security and encryption built in it.We are not living in an all-civilized world; we haven't been actually.

"What do you think Getty would do?"turn camera off (or if necessary remove battery to do so) to disable wifi and continue shooting with wifi disabled?use back up camera with wifi disabled?shoot tethered? I guess encryption might be of some use/comfort to those requiring some sort of security against unwanted use/actions of their data/device. However I also believe that if a camera is enabled to encrypt data then perhaps a hacker then will be able to (and want to) hack a camera to add his/her own encryption...payday/ransom.

@Paul Auclair, turning off a compromised device only turns it off. It wouldn't remove malicious applications that are stored with the software necessary to operate the device. Nor would it decrypt encrypted files if the malware payload was designed to do that.

Remember, as cameras and other devices take on the operating characteristics of the conventional computer - a standardised OS, executables, updates, internet connection, etc., the vulnerabilities increasingly match what exists for your laptop/desktop.

A full factory reset may get rid of a problem, though not the vulnerability. However an event probably won't be restaged to allow you to recapture lost work.

Anyway, we may have veered away from the core substance of the article on data encryption in cameras, into the wider changes to the technology. Mostly my own fault.

sh10453security against theft or damage of one's assets of any kind is a valuable option to have. you asked about a solution to rectify a hacked 'camera' andI replied that I'd shut it (the camera) off or use a back up. you did not ask me what i'd do about a compromised computer.I find it odd that you replied with a smarty comment referencing an entirely different topic/question.So, a question for you because i'm curious... how many folks/pros do you think use computers and/or laptops to shoot major/important events?to clarify...using a computer "for the purpose of capturing images" (like an ordinary camera does) and not for storing/editing/uploading to head office later on. I ask because my posts in this thread all pertain to cameras but all replies to my posts are related to a wide variety of internet capable/smart devices and have little or nothing to do with cameras.been a slice,Paul

I don't think border guards are the real issue here. After all, data can always be moved and encrypted before crossing a border.The issue is a photographer can be stopped any time and his data be seized by any conflicting party.

Sure, true. I'm making the point that the Patriot act and homeland security legislation are significant, and impact many facets of information control for countries working with the US. There was a legitimate reason not to hand over data, that was ignored. This could be asked for in the street, as well as at a border, coming in or going out.

I agree with this, but there are other factors to consider. Anyone who crosses borders, on behalf of an employer, risks having data confiscated, copied or both. Do not underestimate the kind of pressure a press photographer can be placed under, if a customs official, border guard or police want to access data. In some jurisdictions, this can amount to a threat to life. I've often considered what I would do in the event a US or Canadian border guard wanted to access my encrypted croporate laptop. I don't think I'd have any choice but to comply.

Better not to transport data across a border. Far better to transmit it, encrypted, and then cross the border without it.

True, but in non-life threatening situations, the encryption forces the border official to escalate the issue to a whole other level that they may not be prepared to do, rather than just abuse their everyday powers like they can without encryption.

There are some implementations that can have dual passwords. Enter one password and you get access to the encrypted material, enter the other and you get access to non incriminating data, the real encrypted data remains hidden.

better pray that the person asking you to see what's on the memory card isn't knowledgeable enough to check whether all contents are accounted for when using the dummy "safe" data. pretty much "see how large is the accessible data" vs. "see how much space is used on the drive". if you see a noticeable difference between the two something is being hidden. especially with today's media file sizes you couldn't disguise more than 2-3 16MP photos as "file system rounding errors". better not try to hide 5 minutes of 4K video.

Plausible deniability is provided by applications that allow you to encrypt with two passwords. The first password is one that you give up if you have to. While it allows access to the outer encrypted container, the password holder should have only innocuous or safe content stored there.

The second password decrypts hidden or protected content inside the container. As there is no evidence that a second layer of encrypted data is stored inside, it isn't evident that a second password is required. However, someone with the second password can access and mount the inner encrypted container by using the second instead of the first password.

Latest in-depth reviews

The Nikon Z6 may not offer the incredible resolution of its sibling, the Z7, but its 24MP resolution is more than enough for most people, and the money saved can buy a lot of glass. Find out what's new and notable about the Z6 in our First Impressions Review.

Many cameras today include built-in image stabilization systems, but when it comes to video that's still no substitute for a proper camera stabilization rig. The Ronin-S aims to solve that problem for DSLR and mirrorless camera users, and we think DJI has delivered on that promise.

The SiOnyx Aurora is a compact camera designed to shoot stills and video in color under low light conditions, so we put it to the test under the northern lights and against a Nikon D5. It may not be a replacement for a DSLR, but it can complement one well for some uses.

At its core, the Scanza is an easy-to-use multi-format film scanner. It offers a quick and easy way to scan your film negatives and slides into JPEGs, but costs a lot more than similar products without a Kodak label.

Latest buying guides

If you're looking for a high-quality camera, you don't need to spend a ton of cash, nor do you need to buy the latest and greatest new product on the market. In our latest buying guide we've selected some cameras that while they're a bit older, still offer a lot of bang for the buck.

What's the best camera for under $500? These entry level cameras should be easy to use, offer good image quality and easily connect with a smartphone for sharing. In this buying guide we've rounded up all the current interchangeable lens cameras costing less than $500 and recommended the best.

Whether you've grown tired of what came with your DSLR, or want to start photographing different subjects, a new lens is probably in order. We've selected our favorite lenses for Sony mirrorlses cameras in several categories to make your decisions easier.

Whether you've grown tired of what came with your DSLR, or want to start photographing different subjects, a new lens is probably in order. We've selected our favorite lenses for Canon DSLRs in several categories to make your decisions easier.

For the past few weeks, our readers have been voting on their favorite photographic gear released in the past year in a wide range of categories. Now that the first round of voting is over, it's time to pick the best overall product of 2018.

Sony had the full-frame mirrorless market to itself for nearly five years, but it's no longer alone – the Nikon Z6 and Canon EOS R have both arrived priced to compete with the a7 III. We take a head to head to head look at these three cameras.

As if it needed one, the triple-camera smartphone might really be the final nail in the compact camera's coffin. DPR contributor Lars Rehm brought the LG V40 on a hiking trip recently and found it to be a huge leap forward in terms of creative freedom.

Renowned UK-based landscape photographer Nigel Danson has been using DSLRs for years. In this video, created exclusively for DPReview, Nigel discusses his experience using the Nikon Z7 and why he's excited about mirrorless cameras. (Spoiler... beautiful scenery ahead.)

Chinese optical manufacturer Kipon has added the Nikon Z and Canon R mounts to its range of adapters made to attach medium format lenses from Hasselblad, Mamiya, Pentax and others to full frame cameras.